I am working through the process to secure the identity json file that is created after a user is enrolled.
I know for ssh keys and other wallets you can encrypt the files… but I am not sure for an enrolled identity.
Any specific tips?
I was thinking that it could be encrypted with the controller certificate… this should be possible with a small change… but this is not something built into the platform yet.
Scott
Hardware security module (e.g., Yubikey)? Hardware Security Modules (HSM) - PKCS11 | Ziti
Could also use the keychain if on a platform that supports it. The Ziti Desktop for Mac and Mobile Edge for iOS are based on the Ziti Swift SDK and store keys and certs in the keychain. Code for that is here: ziti-sdk-swift/ZitiKeychain.swift at main · openziti/ziti-sdk-swift · GitHub
If you’re using Java you can take a look at ziti-sdk-jvm/Enroller.kt at main · openziti/ziti-sdk-jvm · GitHub for example of using KeyStore in the Ziti JVM SDK
You can’t use anything to encrypt the file really other than the OS. You’ll still have the problem that an attacker with sufficient privs can find the file and unencrypt it. I think the two best choices are the ones @smilindave26 mentions. You can use a hardware root of trust or you can use the OS.
Windows has “credential manager” which is what I’d look into. Mac/iOS dave covered. I’m not sure what linux has available to it. I think ubuntu has a keychain you can tie into as well but i’m not familiar with it. That’s the direction I’d probably head in first.
I’ll describe a sysadmin, non-integrated approach to encrypting the identity config file on any major OS. You may effectively encrypt any file with OpenPGP / GnuPG separately from the normal operation of Ziti. That is, Ziti doesn’t know the file is encrypted, and so you must decrypt it on behalf of Ziti each time.
For example, you could “install” the identity in /run/user/${UID}/ziti/identity.json. Where UID=1000 and run/user/1000 is a temporary filesystem (tmpfs) owned by the default user. This particular tmpfs is created for you automatically by pam_systemd when you login, and it’s a fine place to cache plaintext.
Here’s a sample script implementing this approach.
# trade the token for a certificate by enrolling
ziti-edge-tunnel --jwt /tmp/ziti-identity.jwt --identity /run/user/${UID}/ziti/identity.json
# encrypt the identity config file
gpg -e -{u,r} acme@example.com < /run/user/${UID}/ziti/identity.json > ~/.ziti/identity.json.gpg
# decrypt the ciphertext before using the identity
gpg -qd < ~/.ziti/identity.json.gpg > /run/user/${UID}/ziti/identity.json
# run the tunneler or other SDK app
ziti-edge-tunnel run --identity /run/user/${UID}/ziti/identity.json